CS.EXCEPT.NO_LOG

Ensure all exceptions are either logged with a standard logger or rethrown.

This rule identifies code that does not log caught exceptions with a standard logger or rethrow caught exceptions.

Mitigation and prevention

Using a logging mechanism to keep track of caught exceptions can provide a clearer and more secure overview of the possible security vulnerabilities, and this information could help you implement a prompt and accurate fix.

Enforcing this rule will help to protect against the OWASP 2007 Top 10 application vulnerability "A6 - Information Leakage and Improper Error Handling".

External guidance

• OWASP A10:2017 Insufficient Logging & Monitoring
• OWASP A6:2017 Security Misconfiguration

Security training

Application security training materials provided by Secure Code Warrior.

• Security Misconfiguration Training Video - Test your skills with a training example

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  public class Example
  {
      public void readFile(String fileName)
      {
          try
          {
              FileInfo fi = new FileInfo(fileName);
              FileStream fs = fi.OpenRead();
              fs.Close();
         }
         catch (IOException e)
         {
             Console.WriteLine("Exception found");
         }
     }
 }

Violation is reported on line 11.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
  public class Example
  {
      public void readFile(String fileName)
      {
          try
          {
             FileInfo fi = new FileInfo(fileName);
              FileStream fs = fi.OpenRead();
              fs.Close();
         }
         catch (IOException e) // FIX
         {
             (new Logger()).Error("Failed to read file. " + e.Message);
         }
     }
     public class Logger
     {
         public void Error(string errorDetails)
         {
             /* Logging the error */
         }
     }
 }